Verification of Authenticity and Responsiveness of Biometric Evidence And/Or Other Evidence

ABSTRACT

Authenticity and responsiveness of evidence (e.g., biometric evidence) may be validated without regard for whether there is direct control over a sensor that acquired the evidence. In some implementations, only a data block containing evidence that is (1) appended with a server-generated challenge (e.g., a nonce) and (2) signed by the sensor may validate that the evidence is responsive to a current request and belongs to a current session. In some implementations, trust may be established and/or enhanced due to one or more security features (e.g., anti-spoofing, anti-tampering, and/or other security features) being collocated with the sensor at the actual sampling site.

FIELD OF THE INVENTION

The invention relates to establishing trust in biometric evidence and/orother evidence by verifying responsiveness and/or authenticity withoutregard for whether there is direct control over a sensor that acquiredthe evidence.

BACKGROUND

The Internet is a vast collection of interconnected computers, connectedto a vast variety of resources (e.g., information, services, and data).Many of these resources are protected from unauthorized access. Numeroustechnologies exist around protecting resources such as firewalls,virtual private networks (VPN), application servers, cloud computingappliances, and/or other technologies.

Authorization may refer to a process of determining whether a user has aright to access a resource. Authentication may refer to a process ofconfirming that a user is actually is the person they claim to be.Authorization does not necessarily involve identification. However, inmany forms of authorization, the user's identity is required. A commonform of authentication relies on user-name and password. That is, theuser claims an identity (e.g., via the user-name), and that identity issubsequently verified by matching the password that the user entered toa password previously stored in an authentication database and/or othermemory. Of course, any person with knowledge of the username andpassword can potentially access protected resources.

Authentication can take many forms. By way of non-limiting example,forms of authentication may include something known (e.g., a secretpassword, your mother's birthday, and/or other knowledge), somethingpossessed (e.g., a credit card, a cryptographic token, and/or otherpossessions), some physical feature (e.g., a facial feature,fingerprint, iris patterns, and/or other physical features). These itemsmay sometimes be referred to as evidence of a claimed identity.

The term “biometric” comes from “bio,” indicating a reliance on abiological feature, and “metric,” which means measurement. As such,biometric literally means the measurement of a biological feature.Biometrics refers the overall field of study, industry, and use ofbiometric identification and/or verification. It relies on the idea thatbiological processes generally do not produce truly identical objects.For example, even identical twins are measurably different. By measuringa biological object with sufficient accuracy, it may therefore bepossible to distinguish an individual from everyone else in thepopulation.

Biometric verification may be called for to confirm the identity of anindividual as part of the authentication process. Biometric verificationmay include sample acquisition, template extraction, a matching step,and/or other operations. According to some existing approaches, sampleacquisition may include capturing an image and/or other sample of afeature of a person that a biometric system relies on. For instance, afingerprint sensor may capture an image of the individual's finger. Irisrecognition may begin by capturing an image(s) of a person's eye(s).Such images may require specialized conditions such as, for example, aspecific light spectrum, angle of illumination, illumination intensity,projected illumination pattern, light polarization, and/or otherconditions. Specialized cameras that collect biometric samples may bereferred to as biometric sensors. In some existing approaches, abiometric sensor may include one or more other sensors, rather than orin addition to a camera.

Generally speaking, an extraction process may convert a biometric sampleinto an extracted feature set. Such a feature set may be referred to asa template. For example, a feature set may be extracted from an image ofa fingerprint as minutia data, which is a list including a type,location, and orientation of individual fingerprint features within theoverall fingerprint pattern. A template used for verification and/oridentification may typically be extracted from a single biometricsample. A template used for enrollment may often be derived from severalbiometric samples and/or several biometric templates, all from the samebiometric feature (e.g., the right index finger).

Existing matching processes generally may include aligning and/orcomparing the extracted feature sets, typically between an enrolledexemplary template—an “exemplar”—stored in an authentication server'sdatabase, and a live biometric sample or template. The comparison mayresult in a score and/or other metric that represents the likelihoodthat the exemplar and the live biometric sample are from the sameperson. The biometric sample quality (e.g., image quality), biologicalstatistics, score, and/or other factors may be combined to produce aconfidence metric that the biometric sample came from the person theuser claims to be.

Unfortunately, biometric features may be difficult to conceal or keepsecret. For example, a biometric sample may be obtained from a latentfingerprint left on a coffee cup or a high resolution facial image.Whether used to enroll in a biometric system, or used to verify one'sidentity, once a biometric sample has been captured, any compromise tothe security of how this data is handled may permanently place thatbiometric at large. Spoofing refers to the process of tricking abiometric sensor into acquiring a biometric sample from surrogatefeature, prosthetic feature, and/or other non-legitimate source, ratherthan a real biometric feature.

In a supervised setting, it may be difficult to fake a biometric sample.For example, an individual will most likely fail to cash a check at abank if they present someone else's driver's license as their ownidentification. With biometrics, a claimed identity may be verified byevidence that is merely an electronic representation of any real proofof identity. This might be viewed as analogous to handing a picture ofthe person on the driver's license to the bank teller when she tries toverify the identity of the check bearer.

In an unsupervised or remote setting, a biometric sample typically comesfrom a remote sensor. In many instances, the biometric sample mayinclude an image and/or other information that is transferred to theauthentication system. Ideally, a remote biometric sensor may be trustedto produce a real biometric sample, such that the biometric sample canbe tested and confirmed to, in fact, be from the person requestingaccess. In a setting such as an ATM, for example, any sensors aretypically physically protected and communications with them arecryptographically protected and/or verified. This is not generally thecase, however, in a setting such as a web browser running on a remotecomputer.

Without a trusted, verifiable source, a biometric sample and/or templatemay have come from anywhere. The simplest attack on some existingsystems may be referred to as a “replay attack,” which uses evidence orcredentials from a prior legitimate transaction to enable a laterillegitimate transaction. In the case of biometrics, a common replayattack completely eliminates or bypasses the biometric sensor. When theauthentication process requests biometric evidence, the bad actor simplysubmits a sample that was collected by some other means (e.g., afingerprint lifted off of a coffee cup or a biometric sample submittedas part of another (legitimate) transaction). Widespread use ofbiometric verification may portend a world where biometric exemplars arestolen and traded by criminals, just like stolen credit card numbers aremarketed today.

Existing systems may be prone to other types off attacks. One such typeof attack may be referred to as a “piggy-back.” In this case, the badactor copies biometric evidence and simultaneously submits the biometricevidence to enable a second illegitimate transaction. Another type ofattack may be referred to as “hijacking,” which may be viewed asanalogous to what is known as “phishing.” In this attack, the userperceives a legitimate transaction and responds by producing a realbiometric sample. However the perceived transaction and the actualtransaction may be different.

Many of the existing mechanisms meant to protect and enhance users'resources, firewalls, and/or virtual addresses may create problems. Forexample, a typical means of establishing trust in a biometric sample isto establish control over, and therefore trust in, the biometric sensor.However, this may require establishment of a one-to-one connectionbetween the authentication server and the biometric sensor. This can beboth impractical and undesirable because it may require substantialsetup, which prevents spontaneous connections, and potentially opensservice ports that may be exploited by a bad actor.

SUMMARY

One aspect of the invention relates to a system configured to validatethe authenticity and responsiveness of biometric evidence without regardfor whether there is direct control over a biometric sensor thatacquired the biometric evidence, in accordance with one or moreimplementations. Although system is described in the context ofbiometric authentication, this is not intended to be limiting as theprinciples disclosed herein may be applied to other systems and/ormethods that do not involve biometrics. The system may include one ormore of a server, a client computing platform, a sensor, and/or othercomponents. A browser may run on client computing platform. The browsermay include software that lets a user view documents, access files,access software, and/or perform other operations associated withbrowsers. For example, the browser may allow users to view or browsedocuments on the World Wide Web.

In some implementations, the client computing platform may becommunicatively coupled with the sensor such that the sensor is aperipheral device to the client computing platform. According to someimplementations, the client computing platform and the sensor may beintegrated as a single device.

The server may be configured to control access to one or more protectedresources. The protected resources may include one or more of protectedinformation (e.g., classified or personal documents), a protected device(e.g., a nuclear power plant or missile), money (for instance at anATM), physical access (permission to pass through a doorway), and/orother resources that are protected. According to some implementations,the protected resources may be stored by the server. The protectedresources may be stored remotely from the server.

The server may be configured to execute one or more computer programmodules. The computer program modules may include one or more of aserver communications module, an authentication module, an authorizationmodule, a gatekeeper module, and/or other modules.

The server communications module may be configured to receiveinformation from and transmit information to one or more components ofthe system. The server communications module may be configured toreceive a request to access the protected resources. The servercommunications module may be configured to transmit a request forbiometric evidence. Such a request may include a server challengeconfigured to identify the server (or components thereof) as the sourceof the request for biometric evidence. According to someimplementations, the server challenge includes a nonce. Generallyspeaking, a nonce includes a random number generated by a givenprocessor such that the random number is indiscernible prior to itsgeneration except by the given processor. The server communicationsmodule is described further herein.

The authentication module may be configured to validate authenticationdata received via the server communications module. Such authenticationdata may include information associated with a biometric sample, abiometric template, and/or other information. In accordance with someimplementations, the authentication module may be configured todetermine whether the authenticity of a biometric sample and/or abiometric template included in authentication data can be verifiedagainst an exemplar that is accessible by the one or more processors.The authentication module may be configured to determine whether theresponsiveness of a biometric sample and/or biometric template includedin authentication data can be verified based on a comparison betweensensor response, which may be based on a server challenge and/or may beincluded in the authentication data, and a server challenge sent withthe request for biometric evidence.

The authentication module may be configured to utilize cryptographictechnologies to validate authentication data. Such cryptographictechnologies may include public-key cryptography and/or othertechnologies. In some implementations, a private key may be associatedwith a public certificate stored at the sensor. A public keyinfrastructure (PKI) (e.g., a certificate signing authority) maymaintain a revocation list allowing the trustworthiness of the sensor(e.g., a public key and certificate chain of the sensor) to be revoked.Such revocation may be responsive to an unauthorized transaction beingassociated with the public certificate of the sensor. A breach ofintegrity self-reported by the sensor (described further herein) mayresult in immediate revocation of the public certificate of the sensor.The public certificate of the sensor may be revoked responsive tospoofing attempts. A revocation may be responsive to a certificate beingassociated with one or more transactions that were later deemed to beillegitimate. A revocation may be dictated by one or more policiesassociated with a required security level. In some implementations, aPKI with different levels of trustworthiness may be associated withdifferent certificates based on their usage history and other factors.

The authorization module may be configured to verify user information.By way of non-limiting example, user information may include one or moreof a user name, a password, a personal identification number (PIN),and/or other user information. In some implementations, authenticationdata received by the server communications module may include or bereceived with user information.

The gatekeeper module may be configured to grant access to the protectedresource responsive to a positive determination, such as by theauthentication module, that the authentication data is valid. Thegatekeeper module may be configured to deny access to the protectedresource responsive to a determination that the authentication data isnot valid.

The sensor may be configured to acquire biometric samples via a sampleacquisition apparatus. The sensor may be configured to execute one ormore computer program modules. The computer program modules may includeone or more of a sensor communications module, an anti-tampering module,a sample acquisition module, an anti-spoofing module, a sample qualitydetermination module, a template extraction module, a data packagingmodule, a signature module, and/or other modules.

The sensor communications module may be configured to receiveinformation from and transmit information to one or more components ofthe system. The sensor communications module may be configured totransmit a request for identification evidence in response to a requestfor access to the protected resources. The sensor communications modulemay be configured to receive a request for biometric evidence. A requestfor biometric evidence may be received responsive to a request to accessa protected resource. The request for biometric evidence may include aserver challenge configured to identify a server as the source of therequest for biometric evidence. The server challenge may include anonce. The server challenge may be associated with a particulartransaction.

The anti-tampering module may be configured to perform one or moreanti-tampering checks to determine whether the biometric sensor has beentampered with. In some implementations, the sensor communications modulemay be configured to transmit an indication that the sensor has beentampered with responsive to the one or more anti-tampering checksresulting in a positive determination. Such an indication may bereceived by the server. According to some implementations, theanti-tampering module may be configured to record an indication that thesensor has been tampered with responsive to the one or moreanti-tampering checks resulting in a positive determination. The sensormay be further configured to report any prior tampering indications thatit has recorded during subsequent communications.

The sample acquisition module may be configured to obtain a biometricsample and/or information associated with the biometric sample from thesample acquisition apparatus.

The anti-spoofing module may be configured to perform one or moreanti-spoofing checks to determine whether the biometric sample wasobtained from a surrogate feature, prosthetic feature, and/or otherillegitimate source. By way of non-limiting example, an anti-spoofingcheck may be based on multi-spectral illumination used to determine alikelihood that a finger is human flesh. As another example, ananti-spoofing check for iris-based authentication may measure whether apupil reacts to light to determine whether an eye is alive. In someimplementations, the sensor communications module may be configured totransmit an indication that the biometric sample was obtained from asurrogate feature, a prosthetic feature, and/or other non-legitimatesource responsive to the one or more anti-spoofing checks resulting in apositive determination. Such an indication may be received by theserver.

The sample quality determination module may be configured to determine aquality metric associated with the biometric sample. The quality metricmay be descriptive of one or more measurable aspects of the biometricsample. Where the biometric sample includes an image of a body partand/or physical feature of the user, examples of the one or moremeasurable aspects of the biometric sample may include one or more ofimage resolution, sharpness, noise, contrast, distortion, vignetting, apresence of one or more artifacts, and/or other quality metrics.According to some implementations, the sample quality determinationmodule may be configured to determine whether a biometric template ofsufficient quality can be extracted from the sample. By way ofnon-limiting illustration, the image quality might be good, but theperson blinked, resulting in complete or partial occlusion of the irisfeatures. The sample quality determination module may be configured toreject the biometric sample responsive to the quality metric associatedwith the biometric sample breaching a quality threshold.

The template extraction module may be configured to extract a biometrictemplate associated with the biometric sample. The biometric templatemay include measurement data from the biometric sample. For example,where the biometric sample includes an image of a fingerprint, themeasurement data of the biometric template may include minutia data.Generally speaking, minutia data may be descriptive of one or more of atype, location, or orientation of individual fingerprint features withina pattern of the fingerprint.

The data packaging module may be configured to provide authenticationdata based on the biometric sample. In some implementations, the datapackaging module is configured to combine the biometric template and theserver challenge into a unit of data serving as the authenticationevidence. Combining the biometric template and the server challenge intoa unit of data may include packing the biometric template and the serverchallenge into a single data block. In accordance with someimplementations, combining the biometric template and the serverchallenge into a unit of data may include (1) packing the biometrictemplate and the server challenge into two or more data blocks, (2)obtaining hashes of the two or more data blocks, and (3) obtaining across-coupled data block that includes the hashes of the two or moredata blocks. In accordance with some implementations, the data block mayinclude data derived from the challenge, in lieu of or in addition tothe original challenge. For example, the data block may include aresponse to the challenge.

The signature module may be configured to sign the evidence and/or aunit of data conveying the evidence with a digital signature. This mayinclude signing using a private key stored at the sensor. Such a privatekey may be associated with a PKI certificate stored at the sensor. Assuch, the biometric evidence may be validated by the server using thepublic certificate of the sensor. The public certificate of the sensormay be validated using a known public key of the manufacturer of thesensor. In some implementations, a certificate chain may includeinformation that the sensor can use to determine a security levelafforded by the sensor. By way of non-limiting example, a manufacturer,model number, serial number, and/or other identifying information may beencoded in the certificate chain to indicate a security level affordedby the sensor. Additionally, in some implementations, the signaturemodule is configured to sign, with an digital signature, an indicationthat the sensor has been tampered with, an indication that the biometricsample was obtained from a surrogate feature, a prosthetic feature,and/or other non-legitimate source, and/or other information transmittedby the sensor communications module.

These and other objects, features, and characteristics of the presentinvention, as well as the methods of operation and functions of therelated elements of structure and the combination of parts and economiesof manufacture, will become more apparent upon consideration of thefollowing description and the appended claims with reference to theaccompanying drawings, all of which form a part of this specification,wherein like reference numerals designate corresponding parts in thevarious figures. It is to be expressly understood, however, that thedrawings are for the purpose of illustration and description only andare not intended as a definition of the limits of the invention. As usedin the specification and in the claims, the singular form of “a”, “an”,and “the” include plural referents unless the context clearly dictatesotherwise.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a system configured to validate the authenticity andresponsiveness of biometric evidence without regard for whether there isdirect control over a biometric sensor that acquired the biometricevidence, in accordance with one or more implementations.

FIG. 2 illustrates a data collection block, in accordance with one ormore implementations.

FIGS. 3A and 3B illustrate a method for validating the authenticity andresponsiveness of biometric evidence without regard for whether there isdirect control over a biometric sensor that acquired the biometricevidence, in accordance with one or more implementations.

DETAILED DESCRIPTION

A trust relationship may be established between a biometric sample and aserver configured for biometric authentication, in accordance with oneor more implementations. This may overcome one or more disadvantages ofexisting approaches to biometric authentication in that the servertrusts a biometric sample without being able to directly connect toand/or interrogate a biometric sensor that acquired the biometricsample. This is commonly the case when a service relying on biometricverification is web-based and the biometric evidence (e.g., biometricsample and/or biometric template) is being submitted via a web browser.According to exemplary implementations, the trust may be established byensuring that any biometric evidence submitted for verification issubmitted in response to an intended transaction. For example, in someimplementations, only a data block containing a biometric sample and/ortemplate that is (1) appended with a server-generated challenge (e.g., anonce) and (2) signed by the biometric sensor may validate that thebiometric evidence is responsive to a current request and belongs to acurrent authentication session. In some implementations, trust may beestablished and/or enhanced due to one or more security features (e.g.,anti-spoofing, anti-tampering, and/or other security features) beingcollocated with the biometric sensor at the actual biometric samplingsite.

FIG. 1 illustrates a system 100 configured to validate the authenticityand responsiveness of biometric evidence without regard for whetherthere is direct control over a biometric sensor that acquired thebiometric evidence, in accordance with one or more implementations.Although system 100 is described in the context of biometricauthentication, this is not intended to be limiting as the principlesdisclosed herein may be applied to other systems and/or methods that donot involve biometrics. As depicted in FIG. 1, system 100 may includeone or more of a server 102, a client computing platform 104, a sensor106, and/or other components. A browser 108 may run on client computingplatform 104. The browser 108 may include software that lets a user viewdocuments, access files, access software, and/or perform otheroperations associated with browsers. For example, browser 108 may allowusers to view or browse documents on the World Wide Web.

In some implementations, client computing platform 104 may becommunicatively coupled with sensor 106 such that sensor 106 is aperipheral device to client computing platform 104. According to someimplementations, client computing platform 104 and sensor 106 may beintegrated as a single device.

The server 102 may be configured to control access to one or moreprotected resources 110. The protected resources 110 may include one ormore of protected information (e.g., classified or personal documents),a protected device (e.g., a nuclear power plant or missile), money (forinstance at an ATM), physical access (permission to pass through adoorway), and/or other resources that are protected. According to someimplementations, protected resources 110 may be stored by server 102.The protected resources 110 may be stored remotely from server 102.

The server 102 may be configured to communicate with client computingplatforms 104, the sensor 106, and/or other components of system 100according to a client/server architecture. The server 102 may beconfigured to execute one or more computer program modules. The computerprogram modules may include one or more of a server communicationsmodule 112, an authentication module 114, an authorization module 116, agatekeeper module 118, and/or other modules.

The server communications module 112 may be configured to receiveinformation from and transmit information to one or more components ofsystem 100. The server communications module 112 may be configured toreceive a request to access protected resources 110. The servercommunications module 112 may be configured to transmit a request forbiometric evidence. Such a request may include a server challengeconfigured to identify server 102 (or components thereof) as the sourceof the request for biometric evidence. According to someimplementations, the server challenge includes a nonce. Generallyspeaking, a nonce includes a random number generated by a givenprocessor such that the random number is indiscernible prior to itsgeneration except by the given processor. The server communicationsmodule 112 is described further herein.

The authentication module 114 may be configured to validateauthentication data received via server communications module 112. Suchauthentication data may include information associated with a biometricsample, a biometric template, and/or other information. In accordancewith some implementations, authentication module 114 may be configuredto determine whether the authenticity of a biometric sample and/or abiometric template included in authentication data can be verifiedagainst an exemplar that is accessible by the one or more processors.The authentication module 114 may be configured to determine whether theresponsiveness of a biometric sample and/or biometric template includedin authentication data can be verified based on a comparison betweensensor response, which may be based on a server challenge and/or may beincluded in the authentication data, and a server challenge sent withthe request for biometric evidence.

The authentication module 114 may be configured to utilize cryptographictechnologies to validate authentication data. Such cryptographictechnologies may include public-key cryptography and/or othertechnologies. In some implementations, a private key may be associatedwith a public key infrastructure (PKI) certificate stored at sensor 106.Generally speaking, a public key infrastructure certificate may identifyone or more of a manufacturer of a sensor, a vendor of a sensor, asensor type, a sensor model, a serial number, a security feature, asecurity level, and/or other information associated with a sensor thatis the same or similar to sensor 106. A public key infrastructure (e.g.,a certificate signing authority) may maintain a revocation list allowingthe trustworthiness of sensor 106 (e.g., a public key and certificatechain of sensor 106) to be revoked. Such revocation may be responsive toan unauthorized transaction being associated with the public certificateof sensor 106. A breach of integrity self-reported by sensor 106(described further herein) may result in immediate revocation of thepublic certificate of sensor 106. The public certificate of sensor 106may be revoked responsive to spoofing attempts. A revocation may beresponsive to a certificate being associated with one or moretransactions that were later deemed to be illegitimate. A revocation maybe dictated by one or more policies associated with a required securitylevel. In some implementations, a PKI with different levels oftrustworthiness may be associated with different certificates based ontheir usage history and other factors.

The authorization module 116 may be configured to verify userinformation. By way of non-limiting example, user information mayinclude one or more of a user name, a password, a personalidentification number (PIN), and/or other user information. In someimplementations, authentication data received by server communicationsmodule 112 may include or be received with user information.

The gatekeeper module 118 may be configured to grant access to protectedresource 110 responsive to a positive determination, such as by theauthentication module 114, that the authentication data is valid. Thegatekeeper module 118 may be configured to deny access to protectedresource 110 responsive to a determination that the authentication datais not valid.

The sensor 106 may be configured to acquire biometric samples via asample acquisition apparatus 120. According to various implementations,sample acquisition apparatus 120 may include one or more of a camera, animaging device, an illuminator, a lens, a cradle, a capacitivemeasurement device, a transducer, and/or other apparatuses configured toacquire biometric samples. In some implementations, obtaining abiometric sample may include capturing an image of a body part and/orphysical feature of the user. This may include an image of afingerprint, a face, an iris pattern, a voice print, a vein pattern,and/or other body parts or physical features of the user.

The display apparatus 121 may be configured to display information fromsensor 106 and/or other components of system 100 to a user. In someimplementations, display apparatus 121 may be configured to present atransaction identifier to a user. The transaction identifier may conveyinformation identifying a specific transaction. This may allow a user toverify that a biometric sample is being gathered in response to theperceived transaction. The transaction identifier may be presented asone or more of an image, an icon, text, or other visual identifier. Insome implementations, display apparatus 121 may display a URL of aservice that has requested biometric evidence.

The sensor 106 may be configured to execute one or more computer programmodules. The computer program modules may include one or more of asensor communications module 122, an anti-tampering module 124, a sampleacquisition module 126, an anti-spoofing module 128, a sample qualitydetermination module 130, a template extraction module 132, a datapackaging module 134, a signature module 136, and/or other modules.

The sensor communications module 122 may be configured to receiveinformation from and transmit information to one or more components ofsystem 100. The sensor communications module 122 may be configured totransmit a request for identification evidence in response to a requestfor access to protected resources 110. The sensor communications module122 may be configured to receive a request for biometric evidence. Arequest for biometric evidence may be received responsive to a requestto access a protected resource. The request for biometric evidence mayinclude a server challenge configured to identify a server (e.g., server102) as the source of the request for biometric evidence. The serverchallenge may include a nonce. The server challenge may be associatedwith a particular transaction.

The anti-tampering module 124 may be configured to perform one or moreanti-tampering checks to determine whether the biometric sensor has beentampered with. By way of non-limiting example, sensor 106 may include anelectrically conductive foil strip positioned so that it will be gluedto screws that hold a housing case of sensor 106 together. Once the gluehardens, removing the screws will break the foil, resulting in adiscernable change in the resistance of the foil. As part of themanufacturing process, the foil's resistance may be measured and storedin write-once memory with sensor 106. As part of its anti-tamperingcheck, sensor 106 may measure the resistance of the foil and compare itto the stored value. In some implementations, sensor communicationsmodule 122 may be configured to transmit an indication that sensor 106has been tampered with responsive to the one or more anti-tamperingchecks resulting in a positive determination. Such an indication may bereceived by server 102. According to some implementations,anti-tampering module 124 may be configured to record an indication thatsensor 106 has been tampered with responsive to the one or moreanti-tampering checks resulting in a positive determination. The sensor106 may be further configured to report any prior tampering indicationsthat it has recorded during subsequent communications.

The sample acquisition module 126 may be configured to obtain abiometric sample and/or information associated with the biometric samplefrom sample acquisition apparatus 120.

The anti-spoofing module 128 may be configured to perform one or moreanti-spoofing checks to determine whether the biometric sample wasobtained from a surrogate feature, prosthetic feature, and/or otherillegitimate source. By way of non-limiting example, an anti-spoofingcheck may be based on multi-spectral illumination used to determine alikelihood that a finger is human flesh. As another example, ananti-spoofing check for iris-based authentication may measure whether apupil reacts to light to determine whether an eye is alive. In someimplementations, sensor communications module 122 may be configured totransmit an indication that the biometric sample was obtained from asurrogate feature, a prosthetic feature, and/or other non-legitimatesource responsive to the one or more anti-spoofing checks resulting in apositive determination. Such an indication may be received by server102.

The sample quality determination module 130 may be configured todetermine a quality metric associated with the biometric sample. Thequality metric may be descriptive of one or more measurable aspects ofthe biometric sample. Where the biometric sample includes an image of abody part and/or physical feature of the user, examples of the one ormore measurable aspects of the biometric sample may include one or moreof image resolution, sharpness, noise, contrast, distortion, vignetting,a presence of one or more artifacts, and/or other quality metrics.According to some implementations, sample quality determination module130 may be configured to determine whether a biometric template ofsufficient quality can be extracted from the sample. By way ofnon-limiting illustration, the image quality might be good, but theperson blinked, resulting in complete or partial occlusion of the irisfeatures. The sample quality determination module 130 may be configuredto reject the biometric sample responsive to the quality metricassociated with the biometric sample breaching a quality threshold.

The template extraction module 132 may be configured to extract abiometric template associated with the biometric sample. The biometrictemplate may include measurement data from the biometric sample. Forexample, where the biometric sample includes an image of a fingerprint,the measurement data of the biometric template may include minutia data.Generally speaking, minutia data may be descriptive of one or more of atype, location, or orientation of individual fingerprint features withina pattern of the fingerprint.

The data packaging module 134 may be configured to provideauthentication data based on the biometric sample. In someimplementations, data packaging module 134 is configured to combine thebiometric template and the server challenge into a unit of data servingas the authentication evidence. Combining the biometric template and theserver challenge into a unit of data may include packing the biometrictemplate and the server challenge into a single data block. An exemplarydata collection block is described in connection with FIG. 2. Inaccordance with some implementations, combining the biometric templateand the server challenge into a unit of data may include (1) packing thebiometric template and the server challenge into two or more datablocks, (2) obtaining hashes of the two or more data blocks, and (3)obtaining a cross-coupled data block that includes the hashes of the twoor more data blocks. In accordance with some implementations, the datablock may include data derived from the challenge, in lieu of or inaddition to the original challenge. For example, the data block mayinclude a response to the challenge.

The signature module 136 may be configured to sign the evidence and/or aunit of data conveying the evidence with a digital signature. This mayinclude signing using a private key stored at sensor 106. Such a privatekey may be associated with a PKI certificate stored at sensor 106. Assuch, the biometric evidence may be validated by server 102 using thepublic certificate of sensor 106. The public certificate of sensor 106may be validated using a known public key of the manufacturer of sensor106. In some implementations, a certificate chain may includeinformation that sensor 106 can use to determine a security levelafforded by sensor 106. By way of non-limiting example, a manufacturer,model number, serial number, and/or other identifying information may beencoded in the certificate chain to indicate a security level affordedby sensor 106. Additionally, in some implementations, signature module136 is configured to sign, with an digital signature, an indication thatsensor 106 has been tampered with, an indication that the biometricsample was obtained from a surrogate feature, a prosthetic feature,and/or other non-legitimate source, and/or other information transmittedby sensor communications module 122.

FIG. 2 illustrates a data collection block 200, in accordance with oneor more implementations. The data collection block 200 may include asequence of bytes, a data stream, and/or another unit of data. In someimplementations, data collection block 200 may include two or moreseparate units of data, individual ones of which including more, less,or similar information as shown in FIG. 2. As depicted in FIG. 2, datacollection block 200 includes nonce byte(s) 202, status byte(s) 204,biometric template byte(s) 206, digital signature byte(s) 208, and/orbyte(s) conveying other information. The depiction of data collectionblock 200 is not intended to be limiting. For example, the arrangementof bytes in data collection block 200 may be different than depicted, inaccordance with some implementations. As another example, datacollection block 200 may include one or more padding bytes configured toprotect the integrity of a cryptographic scheme applied to datacollection block 200. In some implementations, data collection block 200is provided by a data packaging module that is the same or similar todata packaging module 134.

The nonce byte(s) 202 may convey information associated with a nonceand/or other server challenge sent by server 102, in someimplementations. The nonce byte(s) 202 may be provided in conjunctionwith a server communications module that is the same or similar toserver communications module 112, in some implementations.

The status byte(s) 204 may convey information associated with anindication that a tampering attempt has been made, an indication that aspoofing attempt has been made, a status indication of sensor 106, astatus indication of client computing platform 104, and/or otherinformation associated with client computing platform 104 and/or sensor106. According to some implementations, status byte(s) 204 may beprovided in conjunction with one or more modules that are the same orsimilar to one or more modules of sensor 106. In one implementation, forexample, status byte(s) 204 may be provided in conjunction withanti-tampering module 124, anti-spoofing module 128, template extractionmodule 132, signature module 136, and/or other modules of sensor 106.

The biometric template byte(s) 206 may convey information associatedwith a biometric template, a biometric sample, and/or other biometricevidence. In accordance with some implementations, biometric templatebyte(s) 206 may be provided in conjunction with a sample acquisitionmodule that is the same or similar to anti-tampering module 124, and/ora template extraction module that is the same or similar to templateextraction module 132.

The digital signature byte(s) 208 may convey information associated witha signature provided at sensor 106. The digital signature byte(s) 208may serve to validate nonce byte(s) 202, status byte(s) 204, biometrictemplate byte(s) 206, and/or other bytes included in data collectionblock 200. The digital signature byte(s) 208 may be provided inconjunction with a signature module that is the same or similar tosignature module 136.

FIGS. 3A and 3B illustrate a method 300 for establishing trust inbiometric evidence without regard for whether there is direct controlover a biometric sensor that acquired the biometric evidence, inaccordance with one or more implementations. The operations of method300 presented below are intended to be illustrative. In someimplementations, method 300 may be accomplished with one or moreadditional operations not described, and/or without one or more of theoperations discussed. Additionally, the order in which the operations ofmethod 300 are illustrated in FIG. 3 and described below is not intendedto be limiting.

In some implementations, method 300 may be implemented in one or moreprocessing devices (e.g., a digital processor, an analog processor, adigital circuit designed to process information, an analog circuitdesigned to process information, a state machine, and/or othermechanisms for electronically processing information). The one or moreprocessing devices may include one or more devices executing some or allof the operations of method 300 in response to instructions storedelectronically on an electronic storage medium. The one or moreprocessing devices may include one or more devices configured throughhardware, firmware, and/or software to be specifically designed forexecution of one or more of the operations of method 300.

At an operation 302, a request to access a protected resource (e.g.,protected resources 110) is transmitted from client computing platform104 to server 102. In some implementations, the request may be passedfrom browser 108 running on client computing platform 104 to server 102.The operation 302 may be performed in conjunction with a servercommunications module that is the same or similar to servercommunications module 112, in accordance with some implementations.

At an operation 304, server 102 may determine whether a biometricauthentication is required to grant access to the protected resource.The biometric authentication may include confirmation that a userclaiming a given identity and seeking access to the protected resourceactually has an identity matching the claimed identity. In someimplementations, operation 304 may be performed by an authenticationmodule that is the same or similar to authentication module 114.

At an operation 306, a request for biometric evidence may be transmittedfrom server 102 to client computing platform 104. In someimplementations, the request for biometric evidence may be transmittedfrom server 102 to browser 108 running on client computing platform 104.The biometric evidence may include a biometric sample, a biometrictemplate, and/or other biometric evidence configured to facilitatebiometric authentication. The request for biometric evidence may includea nonce and/or other server challenge configured to identify server 102as the source of the request for biometric evidence. The operation 306may be performed in conjunction with a server communications module thatis the same or similar to server communications module 112, according tosome implementations.

At an operation 308, the request for the biometric evidence may betransmitted from client computing platform 104 to sensor 106. In someimplementations, the request for biometric evidence may be transmittedfrom browser 108 running on client computing platform 104 to sensor 106.The operation 308 may be performed in conjunction with a sensorcommunications module that is the same or similar to sensorcommunications module 122, in accordance with some implementations.

At an operation 310, one or more anti-tampering checks may be performedto determine whether sensor 106 has been tampered with. In someimplementations, responsive to the one or more anti-tampering checksresulting in a positive determination (i.e., that an anti-tamperingcheck failed), an indication that sensor 106 has been tampered with maybe transmitted to server 102 and/or may be recorded in memory at sensor106. In some implementations, sensor 106 may transmit records oftampering. In accordance with some implementations, operation 310 may beperformed by an anti-tampering module that is the same or similar toanti-tampering module 124.

At an operation 312, a biometric sample may be obtained at sensor 106.The biometric sample may include data associated with a physical featureassociated with the user seeking access to the protected resource. Insome implementations, obtaining the biometric sample may includecapturing an image of a body part of the user (e.g., a finger print, aface, an iris pattern, and/or other body part). The operation 312 may beperformed by sample acquisition apparatus 120 of sensor 106 inconjunction with a sample acquisition module that is the same or similarto sample acquisition module 126, in accordance with someimplementations.

At an operation 314, one or more anti-spoofing checks may be performedto determine whether the biometric sample was obtained from a surrogatefeature, prosthetic feature, and/or other illegitimate source. In someimplementations, responsive to the one or more anti-spoofing checksresulting in a positive determination (i.e., that an anti-spoofing checkfailed), an indication that the biometric sample was obtained from asurrogate feature, a prosthetic feature, and/or other non-legitimatesource may be transmitted to server 102. According to someimplementations, operation 314 may be performed by an anti-spoofingmodule that is the same or similar to anti-spoofing module 128.

At an operation 316, a quality metric associated with the biometricsample may be determined. The quality metric may be descriptive of oneor more measurable aspects of the biometric sample. By way ofnon-limiting example, where the biometric sample includes an image of abody part of the user, the one or more measurable aspects of thebiometric sample may include one or more of image resolution, sharpness,noise, contrast, distortion, vignetting, a presence of one or moreartifacts, and/or other metrics. The biometric sample may be rejectedresponsive to the quality metric associated with the biometric samplebreaching a quality threshold. The biometric sample may be rejectedbecause it did not produce an acceptable biometric template. Forexample, in some implementations, when the quality of the biometricsample is too low, method 300 may proceed to operation 310, operation312, or another operation of method 300. The operation 316 may beperformed by a sample quality determination module that is the same orsimilar to sample quality determination module 130, in someimplementations.

At an operation 318, a biometric template associated with the biometricsample may be extracted. The biometric template may include measurementdata from the biometric sample. By way of non-limiting example, wherethe biometric sample includes an image of a fingerprint, the measurementdata of the biometric template may include minutia data. Generallyspeaking, minutia data may be descriptive of one or more of a type,location, or orientation of individual fingerprint features within apattern of the fingerprint. In some implementations, operation 318 maybe performed by a template extraction module that is the same or similarto template extraction module 132.

At an operation 320, the biometric template and the challenge (nonce)issued by server 102 may be combined into a single data block (e.g.,data collection block 200). The operation 320 may be performed by a datapackaging module that is the same or similar to data packaging module134, in accordance with some implementations.

At an operation 322, the data block may be signed with a digitalsignature. The digital signature may be associated with a private keystored at sensor 106. In some implementations, operation 322 may beperformed by a signature module that is the same or similar to signaturemodule 136.

At an operation 324, one or more anti-tampering checks may be performedto determine whether sensor 106 has been tampered with. In someimplementations, responsive to the one or more anti-tampering checksresulting in a positive determination (i.e., that an anti-tamperingcheck failed), an indication that sensor 106 has been tampered with maybe transmitted to server 102 and/or may be recorded in memory at sensor106. Sensor 106 may transmit recorded indications of tampering. Inaccordance with some implementations, operation 324 may be performed byan anti-tampering module that is the same or similar to anti-tamperingmodule 124.

At an operation 326, the signed data block may be transmitted fromsensor 106 to client computing platform 104. In some implementations,the signed data block may be transmitted from sensor 106 to browser 108running on client computing platform 104. The operation 326 may beperformed in conjunction with a sensor communications module that is thesame or similar to sensor communications module 122, according to someimplementations.

At an operation 328, the signed data block may be transmitted fromclient computing platform 104 to server 102. In some implementations,the signed data block may be passed from browser 108 running on clientcomputing platform 104 to server 102. During operation 328, additionaluser information may be transmitted to server 102. Such additional userinformation may include one or more of a user name, a password, apersonal identification number (PIN), and/or other user information.According to some implementations, operation 328 may be performed inconjunction with a server communications module that is the same orsimilar to server communications module 112.

At an operation 330, a determination may be made as to whether thesigned unit of data is valid, which may be performed by anauthentication module that is the same or similar to authenticationmodule 114. Determining whether the signed data block is valid mayinclude comparing the biometric template and nonce sent from sensor 106(via the signed data block) to an exemplar and a challenge (nonce)stored by server 102. The operation 330 may include determining whetherany additional user information transmitted with the signed unit of datais valid, which may be performed by an authorization module that is thesame or similar to authorization module 116.

At an operation 332, access to the protected resource may be grantedresponsive to a determination that the signed data block is valid, oraccess to the protected resource may be denied responsive to adetermination that the signed data block is not valid. In accordancewith some implementations, operation 332 may be performed by agatekeeper module that is the same or similar to gatekeeper module 118.

Referring again to FIG. 1, server 102, client computing platform 104,protected resources 110, and/or other components of system 100 may beoperatively linked via one or more electronic communication links. Forexample, such electronic communication links may be established, atleast in part, via a network such as the Internet and/or other networks.It will be appreciated that this is not intended to be limiting, andthat the scope of this disclosure includes implementations in whichserver 102, client computing platform 104, protected resources 110,and/or other components of system 100 may be operatively linked via someother communication media or may be directly connected.

The client computing platform 104 may include one or more processorsconfigured to execute computer program modules. The computer programmodules may be configured to enable an expert or user associated withthe client computing platform 104 to interface with sensor 106,protected resources 110, and/or other components of system 100, and/orprovide other functionality attributed herein to client computingplatform 104. By way of non-limiting example, client computing platform104 may include one or more of a desktop computer, a laptop computer, ahandheld computer, a NetBook, a Smartphone, a gaming console, and/orother computing platforms.

The server 102 may include electronic storage 138, one or moreprocessors 140, and/or other components. The server 102 may includecommunication lines, or ports to enable the exchange of information witha network and/or other computing platforms. Illustration of server 102in FIG. 1 is not intended to be limiting. The server 102 may include aplurality of hardware, software, and/or firmware components operatingtogether to provide the functionality attributed herein to server 102.For example, server 102 may be implemented by a cloud of computingplatforms operating together as server 102.

The electronic storage 138 may comprise electronic storage media thatelectronically stores information. The electronic storage media ofelectronic storage 138 may include one or both of system storage that isprovided integrally (i.e., substantially non-removable) with server 102and/or removable storage that is removably connectable to server 102via, for example, a port (e.g., a USB port, a firewire port, etc.) or adrive (e.g., a disk drive, etc.). The electronic storage 138 may includeone or more of optically readable storage media (e.g., optical disks,etc.), magnetically readable storage media (e.g., magnetic tape,magnetic hard drive, floppy drive, etc.), electrical charge-basedstorage media (e.g., EEPROM, RAM, etc.), solid-state storage media(e.g., flash drive, etc.), and/or other electronically readable storagemedia. The electronic storage 138 may include one or more virtualstorage resources (e.g., cloud storage, a virtual private network,and/or other virtual storage resources). The electronic storage 138 maystore software algorithms, information determined by processor(s) 140,information received from server 102, information received from clientcomputing platform 104, information received from sensor 106, and/orother information that enables server 102 to function as describedherein.

Processor(s) 140 is configured to provide information processingcapabilities in server 102. As such, processor(s) 140 may include one ormore of a digital processor, an analog processor, a digital circuitdesigned to process information, an analog circuit designed to processinformation, a state machine, and/or other mechanisms for electronicallyprocessing information. Although processor(s) 140 is shown in FIG. 1 asa single entity, this is for illustrative purposes only. In someimplementations, processor(s) 140 may include a plurality of processingunits. These processing units may be physically located within the samedevice, or processor(s) 140 may represent processing functionality of aplurality of devices operating in coordination. The processor(s) 140 maybe configured to execute modules 112, 114, 116, 118, and/or othermodules. The processor(s) 140 may be configured to execute modules 112,114, 116, 118, and/or other modules by software; hardware; firmware;some combination of software, hardware, and/or firmware; and/or othermechanisms for configuring processing capabilities on processor(s) 140.

It should be appreciated that although modules 112, 114, 116, and 118are illustrated in FIG. 1 as being co-located within a single processingunit, in implementations in which processor(s) 140 includes multipleprocessing units, one or more of modules 112, 114, 116, and/or 118 maybe located remotely from the other modules. The description of thefunctionality provided by the different modules 112, 114, 116, and/or118 described below is for illustrative purposes, and is not intended tobe limiting, as any of modules 112, 114, 116, and/or 118 may providemore or less functionality than is described. For example, one or moreof modules 112, 114, 116, and/or 118 may be eliminated, and some or allof its functionality may be provided by other ones of modules 112, 114,116, and/or 118. As another example, processor(s) 140 may be configuredto execute one or more additional modules that may perform some or allof the functionality attributed below to one of modules 112, 114, 116,and/or 118.

The sensor 106 may include electronic storage 142, one or moreprocessors 144, and/or other components. The sensor 106 may includecommunication lines, or ports to enable the exchange of information witha network and/or other computing platforms. Illustration of sensor 106in FIG. 1 is not intended to be limiting. The sensor 106 may include aplurality of hardware, software, and/or firmware components operatingtogether to provide the functionality attributed herein to sensor 106.

The electronic storage 142 may comprise electronic storage media thatelectronically stores information. The electronic storage media ofelectronic storage 142 may include one or both of system storage that isprovided integrally (i.e., substantially non-removable) with sensor 106and/or removable storage that is removably connectable to sensor 106via, for example, a port (e.g., a USB port, a firewire port, etc.) or adrive (e.g., a disk drive, etc.). The electronic storage 142 may includeone or more of optically readable storage media (e.g., optical disks,etc.), magnetically readable storage media (e.g., magnetic tape,magnetic hard drive, floppy drive, etc.), electrical charge-basedstorage media (e.g., EEPROM, RAM, etc.), solid-state storage media(e.g., flash drive, etc.), and/or other electronically readable storagemedia. The electronic storage 142 may include one or more virtualstorage resources (e.g., cloud storage, a virtual private network,and/or other virtual storage resources). The electronic storage 142 maystore software algorithms, information determined by processor(s) 144,information received from server 102, information received from clientcomputing platform 104, and/or other information that enables sensor 106to function as described herein.

The processor(s) 144 is configured to provide information processingcapabilities in sensor 106. As such, processor(s) 144 may include one ormore of a digital processor, an analog processor, a digital circuitdesigned to process information, an analog circuit designed to processinformation, a state machine, and/or other mechanisms for electronicallyprocessing information. Although processor(s) 144 is shown in FIG. 1 asa single entity, this is for illustrative purposes only. In someimplementations, processor(s) 144 may include a plurality of processingunits. These processing units may be physically located within the samedevice, or processor(s) 144 may represent processing functionality of aplurality of devices operating in coordination. The processor(s) 144 maybe configured to execute modules 122, 124, 126, 128, 130, 132, 134, 136,and/or other modules. The processor(s) 144 may be configured to executemodules 122, 124, 126, 128, 130, 132, 134, 136, and/or other modules bysoftware; hardware; firmware; some combination of software, hardware,and/or firmware; and/or other mechanisms for configuring processingcapabilities on processor(s) 144.

It should be appreciated that although modules 122, 124, 126, 128, 130,132, 134, and 136 are illustrated in FIG. 1 as being co-located within asingle processing unit, in implementations in which processor(s) 144includes multiple processing units, one or more of modules 122, 124,126, 128, 130, 132, 134, and/or 136 may be located remotely from theother modules. The description of the functionality provided by thedifferent modules 122, 124, 126, 128, 130, 132, 134, and/or 136described below is for illustrative purposes, and is not intended to belimiting, as any of modules 122, 124, 126, 128, 130, 132, 134, and/or136 may provide more or less functionality than is described. Forexample, one or more of modules 122, 124, 126, 128, 130, 132, 134,and/or 136 may be eliminated, and some or all of its functionality maybe provided by other ones of modules 122, 124, 126, 128, 130, 132, 134,and/or 136. As another example, processor(s) 144 may be configured toexecute one or more additional modules that may perform some or all ofthe functionality attributed below to one of modules 122, 124, 126, 128,130, 132, 134, and/or 136.

Although implementations of the present invention are described in thecontext of biometrics, this is not intended to be limiting. For example,some implementations may be applicable to any field that requires asensor to verify that data it transmits is contemporaneous and valid.Examples of such fields may include security cameras, alarm systems,house arrest bracelets, smart card readers, credit card readers,magnetic stripe readers, and/or other fields. By way of non-limitingexample, a security camera may include an implementation of the presentinvention to prevent someone from replacing a live video feed with areplay, or other false video, which might be used to present a falsesituation (e.g., no one's in the corridor) to a monitor. As anothernon-limiting example, a cryptographically verifiable, consumer owned,credit card swipe sensor may provide a level of security to onlinecredit card transactions by invoking an implementation of the presentinvention. As yet another non-limiting example, a smart card reader mayutilize an implementation of the present invention such that a serverchallenge (e.g., a nonce) may be signed by a sensor of the smart cardreader and by the smart card itself (e.g., by a processor included inthe smart card so as not to reveal cryptographic secrets of the smartcard), thus inexorably tying the transaction to the particular sensorand smart card.

Although the invention has been described in detail for the purpose ofillustration based on what is currently considered to be the mostpractical and preferred implementations, it is to be understood thatsuch detail is solely for that purpose and that the invention is notlimited to the disclosed implementations, but, on the contrary, isintended to cover modifications and equivalent arrangements that arewithin the spirit and scope of the appended claims. For example, it isto be understood that the present invention contemplates that, to theextent possible, one or more features of any implementation can becombined with one or more features of any other implementation.

What is claimed is:
 1. A sensor configured to acquire evidence that isto be provided for validation of the authenticity and responsiveness ofthe evidence without regard for whether there is direct control over thesensor, the sensor comprising: a sample acquisition apparatus configuredto acquire one or more samples; and one or more processors configured toexecute computer program modules, the computer program modulescomprising: a communications module configured to receive a request forevidence, the evidence including one or more samples or a representationof one or more samples, the request for evidence including a challenge;a sample acquisition module configured to obtain individual ones of theone or more samples acquired by the sample acquisition apparatus; and adata packaging module configured to combine the evidence and a responseto the challenge into a signed unit of data, the sensor communicationsmodule being further configured to transmit the signed unit of data;wherein the evidence included in the signed unit of data is validatedbased on a comparison between the response to the challenge included inthe signed unit of data and the challenge sent with the request forevidence.
 2. The sensor of claim 1, wherein the challenge includes anonce, the nonce including a random number generated by a givenprocessor, the random number being indiscernible prior to its generationexcept by the given processor.
 3. The sensor of claim 1, wherein thecomputer program modules further comprise an anti-tampering moduleconfigured to perform one or more anti-tampering checks to determinewhether the sensor has been tampered with.
 4. The sensor of claim 3,wherein the sensor communications module is further configured totransmit an indication that the sensor has been tampered with responsiveto the one or more anti-tampering checks resulting in a positivedetermination.
 5. The sensor of claim 3, wherein the anti-tamperingmodule is further configured to record an indication that the sensor hasbeen tampered with responsive to the one or more anti-tampering checksresulting in a positive determination.
 6. The sensor of claim 1, whereinindividual ones or the one or more samples acquired by the sampleacquisition apparatus include a biometric sample obtained for one ormore of biometric authentication, identification, verification, orenrollment.
 7. The sensor of claim 1, further comprising a templateextraction module configured to extract a template associated with agiven sample acquired by the sample acquisition apparatus, the templateincluding measurement data from the given sample.
 8. The sensor of claim1, wherein a given sample includes an image of a body part of a user. 9.The sensor of claim 1, wherein the computer program modules furthercomprise an anti-spoofing module configured to perform one or moreanti-spoofing checks to determine whether a given sample was obtainedfrom one or more of a false representation of a sample acquired by thesample acquisition apparatus, a surrogate, or a prosthetic.
 10. Thesensor of claim 9, wherein the sensor communications module is furtherconfigured to transmit an indication that the given sample was obtainedfrom one or more of a false representation of a sample acquired by thesample acquisition apparatus, a surrogate feature, or a prostheticfeature, the indication being transmitted responsive to the one or moreanti-spoofing checks resulting in a positive determination.
 11. Thesensor of claim 1, wherein the request for evidence is receivedresponsive to a request to access a protected resource, the protectedresource including one or both of protected information or a protecteddevice.
 12. The sensor of claim 1, wherein combining the evidence andthe challenge into the signed unit of data includes packing the evidenceand the challenge into a single data block.
 13. The sensor of claim 1,wherein combining the evidence and the challenge into the signed unit ofdata includes: packing the evidence and the challenge into two or moredata blocks; obtaining hashes of the two or more data blocks; andobtaining a cross-coupled data block that includes the hashes of the twoor more data blocks.
 14. The sensor of claim 1, wherein the computerprogram modules further comprise a signature module configured toprovide a digital signature for the signed unit of data.
 15. The sensorof claim 14, wherein the digital signature is associated with a privatekey stored at the sensor.
 16. The sensor of claim 15, wherein theprivate key is associated with a public key infrastructure certificate,the public key infrastructure certificate identifying one or more of amanufacturer of the sensor, a vendor of the sensor, a sensor type, asensor model, a serial number, a security feature, or a security level.17. The sensor of claim 1, further comprising a display apparatusconfigured to present a transaction identifier to a user.
 18. The sensorof claim 17, wherein the transaction identifier is presented as one ormore of an image, an icon, or text.
 19. A system configured to validatethe authenticity and responsiveness of evidence without regard forwhether there is direct control over a sensor that acquired theevidence, the system comprising: one or more processors configured toexecute computer program modules, the computer program modulescomprising: a communications module configured to transmit a request forevidence, the evidence including one or more samples or a representationof one or more sample, the request for evidence including a challenge;the communications module being further configured to receive a unit ofdata signed with a digital signature, the signed unit of data includingevidence and a response to the challenge; and an authentication moduleconfigured to determine whether the evidence included in the signed unitof data is valid based on a comparison between the response to thechallenge included in the signed unit of data and the challenge sentwith the request for evidence.
 20. The system of claim 19, wherein theauthentication module is further configured to validate the signed unitof data based on the digital signature of the unit of data.
 21. Thesystem of claim 19, wherein the challenge includes a nonce, the nonceincluding a random number generated by a given processor, the randomnumber being indiscernible prior to its generation except by the givenprocessor.
 22. The system of claim 19, wherein the signed unit of datais received via a browser running on a client computing platform. 23.The system of claim 19, wherein the signed unit of data is received fromone or more of a security camera, a smart card reader, a credit cardreader, a magnetic stripe reader, or a biometric sensor.
 24. A methodfor validating the authenticity and responsiveness of evidence withoutregard for whether there is direct control over a sensor that acquiredthe evidence, the method comprising: transmitting a request forevidence, the evidence including one or more samples or a representationof one or more samples, the request including a challenge; receiving aunit of data signed with an digital signature, the signed unit of dataincluding evidence and a response to the challenge; and determiningwhether the evidence included in the signed unit of data is valid basedon a comparison between the response to the challenge included in thesigned unit of data and the challenge sent with the request forevidence.
 25. The method of claim 24, wherein determining whether theevidence included in the signed unit of data is valid is further basedon validating the digital signature of the unit of data.
 26. The methodof claim 24, wherein the challenge includes a nonce, the nonce includinga random number generated by a given processor, the random number beingindiscernible prior to its generation except by the given processor. 27.The method of claim 24, wherein the signed unit of data is received viaa browser running on a client computing platform.
 28. The method ofclaim 24, wherein the signed unit of data is received from one or moreof a security camera, a smart card reader, a credit card reader, amagnetic stripe reader, or a biometric sensor.